Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 19, 2024, 9:54 a.m.	June 19, 2024, 9:57 a.m.

Size	424.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`13e5872e9b7c47090e035dc228c5589f`
SHA256	`d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc`
CRC32	`A1AC4AF1`
ssdeep	`6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz`
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

bin.exe "C:\Users\test22\AppData\Local\Temp\bin.exe"
1508
- Hkbsse.exe "C:\Users\test22\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
  2120
  - blob.exe "C:\Users\test22\AppData\Local\Temp\1000001001\blob.exe"
    2300
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	142.202.242.43
o7labs.top	A 91.92.240.234	91.92.240.234

IP Address	Status	Action
125.253.92.50	Active	Moloch
164.124.101.2	Active	Moloch
91.92.240.234	Active	Moloch
91.92.244.178	Active	Moloch
47.76.164.119	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.92.240.234:80 -> 192.168.56.103:49165	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 91.92.240.234:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 91.92.240.234:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 125.253.92.50:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 91.92.240.234:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 91.92.240.234:80 -> 192.168.56.103:49166	2014819	ET INFO Packed Executable Download	Misc activity
TCP 91.92.240.234:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.92.240.234:80 -> 192.168.56.103:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 91.92.240.234:80 -> 192.168.56.103:49166	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.103:49166 -> 91.92.240.234:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.103:49165 -> 91.92.240.234:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 91.92.240.234:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 91.92.244.178:9345 -> 192.168.56.103:49170	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
TCP 192.168.56.103:49172 -> 125.253.92.50:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://o7labs.top/visual/skins/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://o7labs.top/visual/skins/index.php?scr=1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://o7labs.top/visual/blob.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://o7labs.top/visual/build.exe

Performs some HTTP requests (4 events)

request	POST http://o7labs.top/visual/skins/index.php
request	POST http://o7labs.top/visual/skins/index.php?scr=1
request	GET http://o7labs.top/visual/blob.exe
request	GET http://o7labs.top/visual/build.exe

Sends data using the HTTP POST Method (2 events)

request	POST http://o7labs.top/visual/skins/index.php
request	POST http://o7labs.top/visual/skins/index.php?scr=1

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

o7labs.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 19, 2024, 9:54 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 19, 2024, 9:54 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Hkbsse.exe tried to sleep 122 seconds, actually delayed analysis time by 122 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\1000001001\blob.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\build.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\5641a448ac\Hkbsse.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\blob.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\build.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\1000003001\build.exe
file	C:\Users\test22\AppData\Local\Temp\5641a448ac\Hkbsse.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 19, 2024, 9:54 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\5641a448ac\Hkbsse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\5641a448ac\Hkbsse.exe	1	1
ShellExecuteExW June 19, 2024, 9:54 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\blob.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000001001\blob.exe	1	1
ShellExecuteExW June 19, 2024, 9:54 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\build.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000003001\build.exe	1	1

An executable file was downloaded by the process hkbsse.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile June 19, 2024, 9:54 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEddmofð"n\'@@0(`p<ð't (x (8X.textöln `.rdata r@@.data°D' :'@À.pdatatð'Æ'@@.00cfg(È'@@.tls(Ê'@À.relocx (Ì'@BVHì HpÇHpÇHpÇH Õo·1ÀúMZuKHcQ<<PEu>HÑ·Qútúu'ytr!HÁèë¹rHÁø1À9ÀH o9ñÈ'¹Ùè¸jHÙo0è 0H¹o0èê0èH,o8uH è 1ÀHÄ ^ÃHì(HoÈ'HÈ'H ooD HD$ H tÈ'HqÈ'LrÈ'èjHÄ(ÃHì(HÕnÇè HÄ(ÃfAWAVVWSHì eH%0HxH5Én1ÀðH±>Ãt.H9Çt)L5¡f¹èAÿÖ1ÀðH±>ÃtH9ÇuçH=nøu¹èië'?t ÆÉÇ'ëÇH znH{nèiøuH PnHQnè\|iÇÛt1ÀHHæmHHÀt1ÉºE1ÀÿÆí'è9H ÂÿÜH åmHH +è& èHc=Ç'Hýè=iHÆHÿ~GûL5Ç'E1ÿfKþè7iHxHùèiJþKþHÁIøèiIÿÇL9ûuÐë1ÛHÇÞH5µÆ'èØH±Æ'H "mH H Æ'HÆ'LÆ'è«%Æ'=jÆ't =}Æ'uèNhtÆ'HÄ [_^A^A_ÃÁèehÌ@Hì(HÅlÇèúýÿÿHÄ(ÃfHì(è'h1ÉHøÉÈHÄ(ÃÃÌÌÌXHL$HT$LD$LL$ Hì( Mè(cNH1ÉèÊeHCH1À6HÄ(HL$HT$LD$LL$ IÊ ÿÿ5ÃÇòÝã4èÿÿÿÇãH:µèrÿÿÿÇÔNuÞècÿÿÿÇÅ5ªèTÿÿÿÇ¶-èEÿÿÿÇ§i8ôè6ÿÿÿÇ1çè'ÿÿÿÇãD¨èÿÿÿÇznêaè ÿÿÿÇk±ª#èúþÿÿÇ\À£l&èëþÿÿÇMf} èÜþÿÿÇ>Ñ/ÖÿèÍþÿÿÇ/¦è¾þÿÿÇ Sôuhè¯þÿÿÇçE6è þÿÿÇ"+ÔèþÿÿÇóóÄJèþÿÿÇäå%ÝèsþÿÿÇÕ¾saèdþÿÿÇÆ¢8÷èUþÿÿÇ·V>¸èFþÿÿÇ¨/¿öùè7þÿÿÇµ$¶è(þÿÿÇÄ7èþÿÿÇ{FÊè þÿÿÇlãa.èûýÿÿÇ]W>èìýÿÿÇN×íÞPèÝýÿÿÇ?Vk»èÎýÿÿÇ0¢~ñ£è¿ýÿÿÇ!}çãè°ýÿÿÇ£qø±è¡ýÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌHì(H HHÀt.ffff.ÿâé'HëHHH àH@HÀußHÄ(Ãf.VWSHì H5:jøÿu¸ÿÿÿÿfDHÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿmé'HÿËÿHßuëH TÿÿÿHÄ [_^é¸üÿÿVWSHì =âÂ'tHÄ [_^ÃÆÑÂ'H5²iøÿu¸ÿÿÿÿfffff.HÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿÝè'HÿËÿHßuëH ÄþÿÿHÄ [_^é(üÿÿÌÌÌÌÌÌÌÌ1ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌVWHì(Hci8tÇút<úuAH5yH=yH9÷uë,fHÇH9þtHHÀtïÿQè'ëçºè ¸HÄ(_^Ã1ÀÃffff.Hì(útÒuèî¸HÄ(ÃÌÌÌÌVWHì8HÎÿÈøwHH ÑiHc<HÏëH=i¹è[ LNFòN òL$0D$ HkiHÁIøèÑc1ÀHÄ8_^ÃÌÌÌÌÌÌÌÌÛãÃÌÌÌÌÌÌÌÌÌÌÌÌÌUAWAVAUATVWSHìHl$=LÁ'mÆ?Á'Hì ènHÄ HHHÅHàðè H)ÄHàHÁ'ÇÁ'H=ÅjHøH+ÃjHøH²jHøH)ØHø\|,Hj;u/Hj{u"HjHXxHEØ;u {ÓH;\jsHL5«fHuffffff.KB1LñEHì A¸HòèHÄ HÃH9ûrÒTÀ'À~g¿H<À'1ÛHuøL5zëffff.HÿÃHcÈHÇ(H9Ë}0DD:ðEÀtçHL:øH:Hì IñAÿÖHÄ Hé¿'ë¿'ëÁHe[_^A\A]A^A_]ÃSú[HÃH;yiaÿÿÿL5ÄeL=½gA¼HuøI½ÿÿÿÿëffffff.HÃH9û!ÿÿÿKAÈAàøAÀøA¬ÈAø×CLðN2OcMúAÿâD¶MÿÿÿEÛëD·MÿÿfEÛë DO+EÛMIÓëLLòI)ÒMÊLUø¶Ñú?w&IÇÃÿÿÿÿÑIÓãI÷ÓM9ÚLJÿIÇÃÿÿÿÿIÓãM9Ú\|:AøDÿÿÿE£Ä:ÿÿÿIcÈH0hLÊHì HÁHòèMHÄ éÿÿÿHì0LT$ H gIÀèÌ¶ÑHì H Øfè¹Hì H fè©ÌAWAVATVWSHìXLÇHÓHÎD=;¾'Eÿ~GH'¾'JýH1ÒëHÂ(H9Ñt#LDI9ðwíLL EIMÈI request_handle: 0x00cc000c	1	1	0
InternetReadFile June 19, 2024, 9:54 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ôqfà0Þ°Îü @ à@\|üO®À H.textÔÜ Þ `.rsrc®®à@@.relocÀ@B°üH`O(À>Å0(û*0; %¢ y( o Ð( o ( (#t0; %¢ y( o Ð( o ( (#t0; %¢ Åy( o Ð( o ( (#t0? %¢%¢ ¯y( o Ð( o ( (#t0; %¢ y( o Ð( o ( (#t0 %¢ Yy(#t0; %¢ y( o Ð( o ( (#t0+ %¢%¢%¢ y(#t0; %¢ ï+y( o Ð( o ( (#t0z+¾Í(ê 89o 88¥Q(êa+E[(êa+,(êa8)XE:8õ(L+É(êô+».YE.@ú++5XE/BSe8iÿÿÿ1(L8Wÿÿÿ8Dÿÿÿo â84ÿÿÿ(êþá8!ÿÿÿ,#2(L8ÿÿÿ(êX à8þþÿÿ++- +Fo (êþ,$+æì?¾þÿÿ+?òþÿÿ+ ¶?ÿÿÿ++:©þÿÿ + 2+¾Ë( 0, ª+y( o ( o ( (#t0, ây( o ( o ( (#t0, ey( o ( o ( (#t0, Çy( o ( o ( (#t0, y( o ( o ( (#t0, «y( o ( o ( (#t0 y%y(#t0 %y(#&2+ª( 0 %¢ (%y(#t07 %¢ ô%y( o ( o ( (#¥¶07 %¢ %y( o ( o ( (#¥¶07 %¢ L$y( o ( o ( (#¥¶07 %¢ 1y( o ( o ( (#¥¶07 %¢ ±úy( o ( o ( (#¥¶07 %¢ Cáy( o ( o ( (#¥¶0 %¢ Ú¡y(#¥¶00 ¬´y( o Ð( o ( (#t0; %¢ M°y( o Ð( o ( (#t0 %¢ ¸Ìy(#t2+½¯( 0; %¢ ÄËy( o Ð( o ( (#t0; %¢ AÙy( o Ð( o ( (#t0; %¢ Õy( o Ð( o ( (#t0 %¢ Ñ×y(#t0 %¢ Ñy(#t0 %¢ æy(#t0; %¢ Éºy( o Ð( o ( (#t0 ·æy(#&2+®°( 0 %¢ áy(#t0< % ¢ Íáy( o ( o ( (#¥¶0< % ¢ ãáy( o ( o ( (#t0< % ¢ Wày( o ( o ( (#¥¶0< % ¢ eày( o ( o ( (#t0< % ¢ Aãy( o ( o ( (#¥¶0< % ¢ ãy( o ( o ( (#t00 ¿øy( o Ð ( o ( (#t2+Í«( 0 Rûy(#¥¶0 %¢ åúy(#¥¶0 &y(#t*0³rp s % ÿÿÿjo % ÿÿÿjo %#>@( o %#>@( o %#>@( o %#>@( o %o %s % f¨o % ÿÿÿo % ÿÿÿo % ÿÿÿo % ÿÿÿo o %s %s %o o o o o! request_handle: 0x00cc000c	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	91.92.244.178
host	47.76.164.119

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\blob.exe				reg_value	C:\Users\test22\AppData\Local\Temp\1000001001\blob.exe
file	C:\Windows\Tasks\Hkbsse.job

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Lionic	Trojan.Win32.Deyma.a!c
Elastic	Windows.Generic.Threat
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojandownloader.Deyma
Skyhigh	BehavesLike.Win32.Generic.gh
ALYac	Gen:Variant.Zusy.552096
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.552096
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 0057994f1 )
BitDefender	Gen:Variant.Zusy.552096
K7GW	Trojan-Downloader ( 0057994f1 )
Cybereason	malicious.e9b7c4
Arcabit	Trojan.Zusy.D86CA0
Baidu	Win32.Trojan.Delf.in
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
APEX	Malicious
McAfee	Artemis!13E5872E9B7C
Avast	Win32:BotX-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.Win32.Deyma.gen
Alibaba	TrojanDownloader:Win32/Deyma.e70d6283
NANO-Antivirus	Trojan.Win32.Redcap.koqimc
MicroWorld-eScan	Gen:Variant.Zusy.552096
Rising	Spyware.Agent!8.C6 (TFE:5:5qH3vzGUSkV)
Emsisoft	Gen:Variant.Zusy.552096 (B)
F-Secure	Trojan.TR/Redcap.blcoe
DrWeb	Trojan.DownLoader47.3915
TrendMicro	Trojan.Win32.AMADEY.YXEFQZ
McAfeeD	Real Protect-LS!13E5872E9B7C
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.13e5872e9b7c4709
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Redcap.blcoe
MAX	malware (ai score=87)
Antiy-AVL	Trojan[Downloader]/Win32.Deyma
Kingsoft	malware.kb.a.988
Gridinsoft	Trojan.Win32.Downloader.ca
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan-Downloader.Win32.Deyma.gen
GData	Gen:Variant.Zusy.552096
Varist	W32/Agent.HSX.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R653644
BitDefenderTheta	Gen:NN.ZexaF.36806.AuW@aOikWCoi
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDownloader.Deyma
Malwarebytes	Trojan.Amadey

bin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All